SANs used to be exclusively defined as Fibre Channel storage area
networks. These SANs were largely insulated from outside attack with no
Internet-bound pipes, limited network connections, and small-scale
workgroup deployments. Under these protected conditions, security was
not a huge issue.

[ILLUSTRATION OMITTED]

Then everything changed.

Consolidation. IP SANs. NAS. Remote connections. Multiple ports.
Any-to-any connectivity. All of these evolutions meant that storage
networks were becoming more and more vulnerable to attack and more at
risk for security breaches.

With Malice Aforethought

The growth in IP-based SANs has made online storage more vulnerable
to the same attacks that IP networks have fought for years. In 2005, the
FBI surveyed more than 2000 private and public organizations to get some
idea of the scope of cyber-crime. A whopping 90% of the surveyed
companies reported that they had suffered attacks that year and had
scrambled to increase computer security. Computer viruses and worms
ranked the highest for sheer number of attacks, followed by DoS (denial
of service) attacks. All three can be devastating to IP-based storage
networks. Take distributed denial-of-service (DDoS) and distributed
reflection denial-of-service (DRDoS) attacks, which flood IP networks
with bogus traffic, usurping bandwidth and overtaxing web servers to
prevent legitimate traffic from getting through. Hosting providers,
eCommerce companies, financial institutions, broadband Internet operators, government--any enterprise using IP-based services including
IP SANs--are vulnerable to this type of attack.

Even well protected Fibre Channel SANs are vulnerable to the most
omnipresent human threat out there--employees. When a human being
presents a threat, most people immediately picture shadowy outlaw
hackers. However, company employees present much greater threats than
outsiders. Many a SAN has been damaged by inexperienced or overtired
storage administrators, and the FBI claims that 75% of losses from
security breaches are from internal sources. Yet in spite of real
security threats rising from either ignorance or malice, Fibre Channel
networks can be vulnerable to the insider. And a malicious or mistaken
staffer or consultant can open the network to external intrusion.

Fortunately, even inside attacks can be foiled with the proper
security approaches. Authentication protocols are key in this respect,
especially because Fibre Channel depends heavily on name-based servers.
Authentication schemes use ANSI standards to define access control to
each server using ANSI-specified client interfaces. If a service request
lacks the security header--for example, a spoofing attack with an
authentic login but no accompanying header--it will be denied.
Authentication has taken longer to develop in the Fibre Channel SAN
world than in the IP network, with SAN administrators assuming that
authentication already took place at the network perimeter, and possibly
at the database and application levels. However, this bad security habit
opened up the Fibre Channel SAN to unacceptable levels of risk.
Authentication protocols for Fibre Channel are becoming more common,
including Fibre Channel Authentication Protocol (FCAP), DH-CHAP (Diffie-Hellman CHAP), and Fibre Channel Security Protocol (FC-SP).

Perimeter-based security measures and protocols work against
hackers, whose attacks largely consist of denial-of-service,
man-in-the-middle, spoofing and hijacking. DoS attacks prevent
authorized users from getting to their data, and can include such
activities as issuing repeated login requests, destroying or degrading
network paths by changing fabric topology, and overloading resource
maps. Hackers also use man-in-the-middle attacks to present an address
as an existing legitimate switch. As soon as data starts to flow to the
"switch," the attacker can read, download or change the
forwarded data. He then sends the data on to the real switch. Spoofing
uses a legitimate login to request services and data from the storage
network. Hackers can gain access to logins through previous unauthorized
entry, through automated login search functions, or through
old-fashioned user laziness--even many network administrators never
change their login of freely share it. Hijacking is a version of
spoofing where the hacker can commandeer and control an existing
authentic session.

According to Hitachi Data Systems, attackers can launch any of the
above attacks on different storage network configurations, including
server or storage array to network connections, switch to switch, switch
to storage array, or management interfaces.

* Server or Storage Array to Storage Network Connection. A hacker
uses a network connection to attach to a SAN server or array and
directly downloads sensitive data. He can also hijack legal addresses
and collect data by spoofing or issuing denial-of-service attacks by
flooding the network with login requests or jamming a switch.

* Switch to Switch. Operating on the physical network, or from a
remote management interface, the attacker uses an illegal switch if she
wants to "make changes to" fabric topologies. This results in
mangled paths and subsequent DoS attacks.

* Server to Storage Array. An attacker sets up a private link that
allows a server to send to a storage device not in its zone, possibly
overwriting protected data on zoned devices. Attackers can also
introduce viruses into a server to damage its communication with its
available arrays, and can also issue DoS attacks using this route.

* Management Interface. This type of attack is high risk because it
is potentially devastating to a zone or an entire SAN. According to HDS,
management interface attacks can disrupt network connections, add
illegal accounts, copy data to an illegal recipient, and--worst of
all--destroy data. An attacker who has gained access to a SAN can
install illegal management interfaces unless there is a strong
authentication requirement installed.

Security developers have come a long way with Fibre Channel SAN
security in the last few years. They are focusing new security
development around increasing comprehensive security against intrusion
as well as simplifying procedures to cut down on internal storage
management mistakes.

Mitigating Internal Threats

Malicious insider threats typically involve disgruntled employees
or contractors. These people have legitimate access and privileges to
storage systems and can wreak havoc if not stopped. According to
Brocade, companies can foil inside attacks and errors by building
security-conscious networks, including dividing responsibilities between
administrators, auditing and tracking network changes, separating secure
storage areas, and training employees to be security compliant.

It's important to divide responsibilities between
administrators so no one individual can do serious damage to the entire
storage network. Even though most storage administrators wouldn't
dream of deliberately damaging their networks, human error is an
extremely common cause of SAN disruptions. Incomplete knowledge and
training, lack of operational procedures, ignoring procedures,
fatigue--all of these factors play their parts in threats to the SAN. To
allay internal threats, develop solid operational procedures, audit for
compliance, carefully assign administrator privileges, and do not trust
any one person with immediate authority over the entire SAN.

Even in this day of rapid consolidation, it's a good idea to
physically separate highly sensitive networks. It's not necessary
to split the networks geographically, although you can. Isolating SAN
fabrics with switches is a good way to accomplish separation within a
single physical data center while still being able to share resources as
needed. Less secure but still useful approaches include zoning,
partitioning, and other methods to protect SAN domains against
deliberate attacks and errors such as accidental overwriting.

It's also important to audit for compliance with security
measures. This helps the corporation to protect against attack and to
track activities and individuals who might attempt to launch an attack.
(Or who are simply not well trained enough for their responsibilities.)
In fact, compliance auditing is an excellent component to building a
security-conscious corporate culture. When a corporation builds systems,
audits, and training around security, employees will a) learn to manage
security better, and b) avoid doing deliberate damage since they'll
be caught. Since the majority of employee-caused damage is sheer human
error, training and attention will mitigate most storage security
meltdowns.

Christine Taylor is a freelance writer and journalist.

Authentication Authentication procedures test and accept/reject user
and system identities. New storage-specific standards
and protocols such as Diffie-Hellman CHAP are emerging
for the storage infrastructure. In the past, storage
administrators depended on outside authentication from
the IP network and file/application levels, but this is
no longer adequate to protect storage networks from
attack.
Access control Access control limits the ability of the user or system
to access data. Within the storage infrastructure, which
server access to data is controlled by zoning and LUN
mapping. Access control protects not only against
malicious attacks but also against accidental
overwriting caused by a server's operating system.
Encryption Encryption scrambles data to prevent unauthorized
persons from reading it. Two primary components make up
the encryption process: the encryption algorithm and the
key. Encryption is particularly important for data in
transit, whether digital or physical.
Table: The Three Components of Securing Storage (NeoScale)

COPYRIGHT 2006 West World Productions, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.